Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29192-2: Lightweight Cryptography — Part 2: Block Ciphers
PRESENT, CLEFIA, and other lightweight block cipher designs for constrained environments
Block ciphers remain the workhorse of symmetric cryptography, and ISO/IEC 29192-2 addresses the challenge of designing and standardising block ciphers that can be implemented with extremely low hardware resource consumption while maintaining adequate security margins. The standard currently specifies three lightweight block ciphers: PRESENT, CLEFIA, and the more recently included SIMON and SPECK families. Each algorithm reflects a different design philosophy and suits different application constraints.
The gate-equivalent (GE) count of a cipher implementation is the single most important metric in lightweight design. PRESENT-80 requires approximately 1 570 GE in a 0.18 µm CMOS process — roughly 6× smaller than a compact AES-128 implementation at around 3 400 GE.
PRESENT — An SPN Lightweight Benchmark
Algorithm Structure
PRESENT is a Substitution-Permutation Network (SPN) with a block size of 64 bits and two key-length variants: PRESENT-80 (80-bit key) and PRESENT-128 (128-bit key). It uses 31 rounds, each consisting of a round-key XOR, a 4×4 S-box applied to all 16 nibbles in parallel, and a bitwise permutation P-layer. The S-box was carefully chosen to minimise gate count — it requires only 4 input NAND gates in its most compact form — while providing strong differential and linear cryptanalysis resistance.
When implementing PRESENT in software on a general-purpose MCU, the bitwise permutation layer becomes expensive because it does not align well with byte boundaries. A lookup-table approach can mitigate this but increases memory footprint. Hardware implementations, conversely, realise the permutation as simple wire crossings at zero gate cost.
CLEFIA — Feistel-Based Flexibility
Design Rationale
CLEFIA uses a generalised Feistel network with a 128-bit block size and supports 128-, 192-, and 256-bit keys. It employs two distinct S-boxes (S0 and S1) and a diffusion matrix based on a 4×4 Maximum Distance Separable (MDS) matrix over GF(2⁸). This gives CLEFIA strong diffusion properties in fewer rounds than a purely SPN design of comparable security. CLEFIA requires approximately 3 000 GE in hardware, making it suitable for Class 2 and Class 3 devices.
| Algorithm | Block Size | Key Size | Rounds | Structure | Gate Count (GE) | Throughput (Mbps at 100 kHz) |
|---|---|---|---|---|---|---|
| PRESENT-80 | 64 | 80 | 31 | SPN | 1 570 | 12.9 |
| PRESENT-128 | 64 | 128 | 31 | SPN | 1 886 | 12.9 |
| CLEFIA-128 | 128 | 128 | 18 | Feistel (GFN) | ~3 000 | 17.8 |
| SIMON 64/128 | 64 | 128 | 44 | Feistel (ARX) | ~1 200 | 27.3 |
| SPECK 64/128 | 64 | 128 | 27 | ARX | ~1 050 | 35.6 |
Engineering Considerations for Implementation
Hardware Optimisation Strategies
The standard discusses several implementation techniques. Serialised architectures reuse a single round datapath for multiple clock cycles, dramatically reducing area at the cost of throughput. For PRESENT, a fully unrolled implementation uses about 7 000 GE but processes one block per clock; a serialised version can drop below 1 000 GE. The choice depends on whether the application needs real-time encryption of a high-bandwidth stream or occasional authentication of short messages.
Side-Channel Resistance
ISO/IEC 29192-2 recommends that lightweight block cipher implementations include first-order masking to protect against Differential Power Analysis (DPA). For PRESENT, masking the S-box is non-trivial because the 4-bit S-box does not decompose neatly into smaller functions. Threshold implementations (TI), which split each sensitive variable into multiple shares, are the recommended approach and typically add 40–60 % to the gate count.
Both PRESENT and CLEFIA have been extensively cryptanalysed over more than a decade. No practical attack breaks the full-round cipher faster than brute force. This gives designers confidence that the standardised algorithms are mature and well-understood.
Never use the light version of PRESENT (PRESENT-LIGHT) without side-channel countermeasures in a product where an attacker can physically access the device. The small S-box makes correlation power analysis particularly effective if unprotected.
Frequently Asked Questions
Q1: Which cipher should I choose for an ultra-low-power sensor tag?
PRESENT-80 offers the best area-efficiency ratio. If your protocol requires 128-bit blocks, CLEFIA is the standardised choice within the 29192 series. For pure software efficiency on 8-bit MCUs, SPECK tends to perform well.
PRESENT-80 offers the best area-efficiency ratio. If your protocol requires 128-bit blocks, CLEFIA is the standardised choice within the 29192 series. For pure software efficiency on 8-bit MCUs, SPECK tends to perform well.
Q2: Are the ciphers in 29192-2 suitable for use with wireless standards like IEEE 802.15.4?
Yes. PRESENT and CLEFIA can be integrated into the security sublayer of IEEE 802.15.4 with appropriate mode-of-operation selection (e.g., CCM mode for combined encryption and authentication).
Yes. PRESENT and CLEFIA can be integrated into the security sublayer of IEEE 802.15.4 with appropriate mode-of-operation selection (e.g., CCM mode for combined encryption and authentication).
Q3: How do I handle key management for millions of deployed devices?
The standard does not prescribe key management; that is the domain of ISO/IEC 11770. However, 29192-2 mandates that implementations support at least the key sizes specified, and recommends that unique keys be derived from a device-specific secret using a lightweight key-derivation function.
The standard does not prescribe key management; that is the domain of ISO/IEC 11770. However, 29192-2 mandates that implementations support at least the key sizes specified, and recommends that unique keys be derived from a device-specific secret using a lightweight key-derivation function.
Q4: What is the expected lifetime of PRESENT as a standardised algorithm?
PRESENT has been standardised since 2009 and has withstood extensive cryptanalysis. It is expected to remain secure for at least another decade for Level 2 applications. For longer-term deployments, the 128-bit key variant is recommended.
PRESENT has been standardised since 2009 and has withstood extensive cryptanalysis. It is expected to remain secure for at least another decade for Level 2 applications. For longer-term deployments, the 128-bit key variant is recommended.
